Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
26 distinct techniques documented for this family, organized by ATT&CK tactic.
The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.
The attack usually begins with a convincing email impersonating a real vendor contact rather than inventing a fake company from scratch.
The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.
The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.
It also employs advanced multi-layer anti-analysis techniques and encrypted payloads to evade detection and enhance phishing operations.
The message spoofed an accounts payable contact at a legitimate contractor and directed the recipient toward what looked like a genuine SharePoint file link tied to an outstanding invoice.
The tool works by abusing a legitimate Microsoft sign in feature meant for devices without a keyboard or browser, tricking victims into approving a login on the attacker’s behalf. Once that approval happens, the attacker walks away with a working session token, no multi factor code required.
Before any of that happens, the phishing kit runs a seven layer screening process designed to filter out security scanners and automated bots. It checks browser fingerprints, watches for natural mouse movement, and waits nearly a full second before activating.
ARToken operates as an affiliate of the EvilTokens phishing-as-a-service operation, which targets Microsoft 365 accounts and bypasses multi-factor authentication.
EvilTokens abuses Microsoft’s OAuth 2.0 Device Authorization Grant... The service captures a victim’s tokens during that exchange and bypasses multi-factor authentication.
Once entered, the backend silently captures a working access token without asking for a password.
Before any of that happens, the phishing kit runs a seven layer screening process designed to filter out security scanners and automated bots. It checks browser fingerprints, watches for natural mouse movement, and waits nearly a full second before activating.
From there, operators can read the victim’s full email inbox, send messages appearing to come from the compromised account, and quietly create inbox rules that hide or forward evidence of the intrusion.
From there, operators can read the victim’s full email inbox, send messages appearing to come from the compromised account, and quietly create inbox rules that hide or forward evidence of the intrusion.
The panel gives criminal operators a dashboard packed with more than eighty functions, covering everything from refreshing stolen tokens to reading a victim’s entire email inbox.
The platform supports device code phishing, Primary Refresh Token (PRT) persistence, Business Email Compromise (BEC), SharePoint data exfiltration, and email access through a web-based dashboard.
17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A phishing panel/kit that abuses Microsoft OAuth device code flow to steal Microsoft 365 session tokens, refresh stolen tokens, access email inboxes, browse/download SharePoint and OneDrive files, create inbox rules, and escalate access into longer-lived primary refresh tokens for persistence.
A recently deployed phishing-as-a-service platform targeting Microsoft 365 that uses device code phishing and token theft to bypass MFA, capture and refresh tokens, escalate to Primary Refresh Tokens, maintain persistent access, and enable Business Email Compromise, inbox monitoring, email rule manipulation, and SharePoint/OneDrive data exfiltration.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.